VYPR
← All advisories
High severity7.4NVD Advisory· Published May 27, 2026

CVE-2026-49014

CVE-2026-49014

Description

In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF driver allows code execution via a stack-based buffer overflow. It reads a geometry attribute into a fixed-size stack buffer without validating the attribute length. The attacker embeds the exploit as an oversized geometry attribute in a crafted NetCDF file. This achieves arbitrary code execution on the server running GDAL. This is in frmts/netcdf/netcdfsg.cpp.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stack buffer overflow in GDAL's netCDF driver allows arbitrary code execution via a crafted NetCDF file with an oversized geometry attribute.

Vulnerability

In GDAL versions 3.1.0 through 3.13.0, the function scanForGeometryContainers in frmts/netcdf/netcdfsg.cpp reads a geometry attribute into a fixed-size stack buffer without validating the attribute length. This allows an attacker to trigger a stack-based buffer overflow by providing an oversized geometry attribute in a crafted NetCDF file. No special configuration is required; the vulnerability is reachable simply by opening a malicious file with GDAL [1].

Exploitation

An attacker needs only to craft a NetCDF file containing an oversized geometry attribute. If the server or application processes user-uploaded NetCDF files, no authentication or special network position is required. When GDAL parses the file, the scanForGeometryContainers function copies the attribute into a fixed-size stack buffer without bounds checking, causing a buffer overflow that can be leveraged for arbitrary code execution [1].

Impact

Successful exploitation allows the attacker to achieve arbitrary code execution on the server running GDAL. This results in full compromise of the application and potentially the underlying host, leading to loss of confidentiality, integrity, and availability [1].

Mitigation

As of the publication date, no official patch has been released. The issue report recommends using the existing helper function that calls nc_inq_attlen() to validate attribute length before reading, as already done elsewhere in the same file [1]. Until a fixed version is available, users should avoid processing untrusted NetCDF files. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Stack Buffer Overflow in GDAL netCDF Driver scanForGeometryContainers

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Osgeo/Gdalreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 3.1.0 - 3.13.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing length validation before reading a geometry attribute into a fixed-size stack buffer in scanForGeometryContainers allows stack-based buffer overflow."

Attack vector

An attacker crafts a NetCDF file containing an oversized geometry attribute [ref_id=1]. When GDAL's netCDF driver processes this file, `scanForGeometryContainers` reads the attribute into a fixed-size stack buffer without first checking the attribute's length via `nc_inq_attlen()` [ref_id=1]. The oversized data overflows the stack buffer, allowing the attacker to overwrite the return address and achieve arbitrary code execution on the server running GDAL [ref_id=1]. The attack requires the victim to open the malicious NetCDF file with GDAL.

Affected code

The vulnerability is in the `scanForGeometryContainers` function in `frmts/netcdf/netcdfsg.cpp` [ref_id=1]. The function reads a geometry attribute into a fixed-size stack buffer without validating the attribute length [ref_id=1]. The file already contains a helper function that uses `nc_inq_attlen()` to safely check attribute lengths before reading, but this helper is not used in `scanForGeometryContainers` [ref_id=1].

What the fix does

The advisory recommends using the existing helper function in `netcdfsg.cpp` that calls `nc_inq_attlen()` before reading attribute data with `nc_get_att_text()` [ref_id=1]. This helper validates the attribute length against the buffer size, preventing the overflow. The same fix should be applied to all other calls to `nc_get_att_text()` in the affected file [ref_id=1]. No patch commit is included in the bundle.

Preconditions

  • inputVictim must open a crafted NetCDF file with GDAL
  • authNo authentication required

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.